Reflected XSS Vulnerability in Visitor Maps Extended Referer Field Plugin by WordPress
CVE-2025-69389

7.1HIGH

Key Information:

Vendor: WordPress
Status: Visitor Maps Extended Referer Field
Vendor: CVE Published:; 20 February 2026

What is CVE-2025-69389?

An improper neutralization of input during web page generation has been identified in the Visitor Maps Extended Referer Field plugin, allowing attackers to execute JavaScript code in the context of a user's browser. This Reflected XSS vulnerability permits malicious actors to manipulate the content displayed to users, potentially leading to unauthorized actions or data theft. Users of versions up to 1.2.6 are advised to take immediate action to secure their applications and protect their systems from exploitation.

Affected Version(s)

Visitor Maps Extended Referer Field 0 <= 1.2.6

References

https://patchstack.com/database/Wordpress/Plugin/visitor-...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Dec 31, 2025

Credit

Skalucy | Patchstack Bug Bounty Program

CVE-2025-69389 Data

JSON